LOCAL CHAPTERS

Find chapters in your area

Panama Papers: What Data Breach Means for Law Firms

Experts worldwide are calling the data breach surrounding the so-called Panama Papers—more than 11.5 million documents detailing how hundreds of wealthy people hid money in offshore banks and investments to avoid paying taxes—the biggest data breach in history.

It’s a stark lesson for HR and IT professionals working in law firms about keeping data more secure.

Panamanian law firm Mossack Fonseca suffered a data breach of astronomical proportions when a hacker broke into the firm’s servers, stole millions of e-mails and PDFs, and then sent them to the press, the law firm has announced.

The papers reveal how tens of thousands of people, including high-ranking politicians, their families, celebrities and wealthy citizens of more than 40 countries, hid trillions of dollars in order to avoid paying taxes.

Hack Consequences

Fallout over the Panama Papers has been swift. After numerous protests, Iceland Prime Minister Sigmundur David Gunnlaugsson reportedly stepped down after the papers revealed he lied about hiding millions in an offshore company.

No one knows who stole the documents. The person who hacked into Mossack’s servers and released the information has remained anonymous. The law firm says it was an external hack.

“We rule out an inside job. This is not a leak,” Ramon Fonseca, one of the firm’s founding partners, told Reuters news service. “This is a hack.”

German newspaper Süddeutsche Zeitung spoke to the hacker. It writes that “the source wanted neither financial compensation nor anything else in return, apart from a few security measures” to protect how he or she revealed the information—including communicating with the press via encrypted messages.

HR Implications

HR and IT professionals who work at law firms must be especially cautious about protecting client data.

Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. The breaches were blamed on hackers, website attacks, or stolen or lost smartphones or computers. Last week, cyberthieves broke into two New York law firms that represent Fortune 500 companies and banks on Wall Street. U.S. federal investigators are examining the data breaches at Weil Gotshal & Manges LLP and Cravath Swaine & Moore LLP.

“There are some law firms with excellent automated and adaptive cyber defense capabilities, but many are stuck in the dark ages of wigs, candles to read by and quill pens to write with,” Phillip Lieberman, president of Los Angeles-based Lieberman Software, told American Lawyer.

Law firms need to do a better job with security, experts said.

“Until now, the legal industry has generally operated within a loose set of cybersecurity guidelines,” Sangster noted. “However, quickly, we expect to see hard-line compliance rules and fines come to firms with substandard cybersecurity defenses in the future.”

“Long story short, if you want to keep something confidential, don’t put it on a computer, specifically one connected to the Internet,” Dodi Glenn, vice president of cyber security at PC Pitstop, told SHRM Online. His Sioux City, Iowa-based company develops security software.

“The very second you do that, you can assume the data can be purloined.”

Aliah D. Wright is an online editor/manager for SHRM. Follow her on Twitter @1SHRMScribe or Facebook.com/aliahwrites.